5 Replies Latest reply on Nov 6, 2003 12:19 AM by swatkat

Migration Woes: Jboss 3.2.1 to 3.2.2, BASIC Auth not working

swatkat Oct 28, 2003 3:47 AM

Migration Problem

Hello,

I am working on JBoss 3.2.1 and using Jetty as web-container

We have our application secured by BASIC auth-method and on accessing
the servlet on JBoss 3.2.1 + Jetty every thing is working perfectly fine, ie Basic Authentication
takes place as the browser prompts for the authentication dialogue box.

But while trying to migrate to JBoss 3.2.2 which comes integrated by default with Tomcat 4.1x,
the deployment is successful and the main context displays the welcome login page
But when i try to use the application which needs Authentication , the browser doesnt ask
for credentials , Browser DOES NOT prompt me with
the username/password dialogue box, and the EJB Container reports the authentication failure.

server.log
******************************************************************************
2003-10-28 14:13:13,838 ERROR [org.jboss.ejb.plugins.SecurityInterceptor] Insufficient method permissions, principal=null, method=create, interface=HOME, requiredRoles=[Doctor, SuperUser, Receptionist, Technician, KennelOperator, Groomer, Accountant], principalRoles=[]
2003-10-28 14:13:13,838 ERROR [org.jboss.ejb.plugins.LogInterceptor] EJBException, causedBy:
java.lang.SecurityException: Insufficient method permissions, principal=null, method=create, interface=HOME, requiredRoles=[Doctor, SuperUser, Receptionist, Technician, KennelOperator, Groomer, Accountant], principalRoles=[]
at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInterceptor.java:229)
at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.java:81)
at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:120)
...
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
...
at SYS.UserInterface.SecureLoginUIServlet.doGet(SecureLoginUIServlet.java:119)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
...
at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.invoke(JBossSecurityMgrRealm.java:220)
at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
...
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
at org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:223)
...
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:619)
at java.lang.Thread.run(Thread.java:534)
2003-10-28 14:13:13,854 INFO [STDOUT] RemoteException : java.rmi.ServerException: EJBException:; nested exception is:
javax.ejb.EJBException: checkSecurityAssociation; CausedByException is:
Insufficient method permissions, principal=null, method=create, interface=HOME, requiredRoles=[Doctor, SuperUser, Receptionist, Technician, KennelOperator, Groomer, Accountant], principalRoles=[]
2003-10-28 14:13:13,870 ERROR [org.jboss.web.localhost.Engine] StandardWrapperValve[SecureLoginUIServlet]: Servlet.service() for servlet SecureLoginUIServlet threw exception
java.lang.NullPointerException
at SYS.UserInterface.SecureLoginUIServlet.doGet(SecureLoginUIServlet.java:149)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:247)
...
at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:565)
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:619)

******************************************************************************

web.xml
******************************************************************************
<security-constraint>
<web-resource-collection>
<web-resource-name>servlet</web-resource-name>
Declarative security tests
<url-pattern>/PracticeVeterinary/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
Any user with a valid login
<role-name>ValidUser</role-name>
</auth-constraint>
<user-data-constraint>
no description
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>example2</realm-name>
</login-config>
<security-role>
A user allowed to invoke echo methods
<role-name>Echo</role-name>
</security-role>
******************************************************************************

jboss-web.xml
******************************************************************************
<jboss-web>
<security-domain>java:/jaas/example2</security-domain>
....
</jboss-web>
******************************************************************************

login-conf.xml
******************************************************************************
<application-policy name = "example2">

<login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">
<module-option name = "dsJndiName">java:/sscdb</module-option>
<module-option name = "principalsQuery">select Password from Principals where PrincipalID=?</module-option>
<module-option name = "rolesQuery">select Role, RoleGroup from Roles where PrincipalID=?</module-option>
</login-module>

</application-policy>
******************************************************************************

ejb-jar.xml
******************************************************************************
...

SYS.SecureLoginBean
<display-name>SecureLoginBean</display-name>
<ejb-name>SecureLoginBean</ejb-name>
SYS.ProblemDomain.SecureLoginHome
SYS.ProblemDomain.SecureLogin
<ejb-class>SYS.ProblemDomain.SecureLoginBean</ejb-class>
<session-type>Stateless</session-type>
<transaction-type>Container</transaction-type>
<resource-ref>
<res-ref-name>jdbc/sscdb</res-ref-name>
<res-type>javax.sql.DataSource</res-type>
<res-auth>Container</res-auth>
</resource-ref>

<assembly-descriptor>
<security-role>
<role-name>SuperUser</role-name>
</security-role>
<security-role>
<role-name>ValidUser</role-name>
</security-role>
</assembly-descriptor>
...
******************************************************************************

Why does the above application work with Jboss 3.2.1 + Jetty and DOesnt work with
JBoss 3.2.2 + Tomcat.

It fails to produce an authentication dialog box (BASIC) auth when it is run on Jboss+Tomcat version

Any views ..?

Swatkat

1. Re: Migration Woes: Jboss 3.2.1 to 3.2.2, BASIC Auth not wor

juha Nov 1, 2003 8:42 AM (in response to swatkat)

In your web.xml I can see you've declared a security role "Echo" but nothing for "ValidUser" which is the authorization you require in auth-constraint section.

-- Juha
Actions
2. Re: Migration Woes: Jboss 3.2.1 to 3.2.2, BASIC Auth not wor

swatkat Nov 2, 2003 9:23 PM (in response to swatkat)

But the same thing works with Jetty version of 3.2.2,
secondly, I dont get the BASIC login prompt when i access the resource that is under context /PracticeVeterinary, I wonder why .?

--swatkat
Actions
3. Re: Migration Woes: Jboss 3.2.1 to 3.2.2, BASIC Auth not wor

juha Nov 2, 2003 10:52 PM (in response to swatkat)

Why don't you just add that declaration since it is mandatory and try to get your app to run with a correctly formed deployment descriptors.

-- Juha
Actions
4. Re: Migration Woes: Jboss 3.2.1 to 3.2.2, BASIC Auth not wor

swatkat Nov 4, 2003 9:52 PM (in response to swatkat)

Okay,
here is what i did, as you told, i added the same role that was being expected as an auth constraint in the web.xml file

Here's what my web.xml looks like:
--------------------------------------------------------------------------
<session-config>
<session-timeout>30</session-timeout>
</session-config>
<error-page>
<exception-type>java.lang.SecurityException</exception-type>
/PracticeWebApplication/html/Security.html
</error-page>
<error-page>
<exception-type>java.lang.RemoteException</exception-type>
/PracticeWebApplication/html/RMI.html
</error-page>
<error-page>
<error-code>401</error-code>
/html/bad_password.htm
</error-page>
<security-constraint>
<web-resource-collection>
<web-resource-name>servlet</web-resource-name>
Declarative security tests
<url-pattern>/servlet/*</url-pattern>
<http-method>HEAD</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
Any user with a valid login
<role-name>ValidUser</role-name>
</auth-constraint>
<user-data-constraint>
no description
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>example2</realm-name>
</login-config>
<security-role>
A user allowed to invoke any methods
<role-name>ValidUser</role-name>
</security-role>

....
-----------------------------------------------------------------------------

The the main page of the application is located at the url http://host:8080/PracticeWebApplication/html/loginpage.html

On that i have a submit button that invokes
http://host:8080/PracticeWebApplication/servlet/LoginServlet

Ideally it prompts me for a username/password when i deploy it on Jetty 4.2, but it fails to do so on the Tomcat version.

Am i doing it wrong somewhere ?
Actions
5. Re: Migration Woes: Jboss 3.2.1 to 3.2.2, BASIC Auth not wor

swatkat Nov 6, 2003 12:19 AM (in response to swatkat)

Hello Juha,

I think I FOUND THE PROBLEM AREA in my migration deployment, in my web.xml I have a tag for displaying custom error:

<error-page>
<error-code>401</error-code>
/html/bad_password.htm
</error-page>

Now this page should ideally be displayed when there is invalid password, but in my case instead of displaying the basic Auth dialogue, the browser just redirects to the above said page ie. bad_password.htm

Why is Tomcat behaving in this certain fashion instead..?

Jetty works okay with the above <error-page> tag and correctly first prompts for Username and Password and then on failure it displays the page.

Any views..?

Regards

Swatkat
Actions

Go to original post